Loadlibrary is for pen-testers and security researchers

Loadlibrary's sole purpose is to allow researchers to run and load Windows DLLs on Linux together with specialized pen-testing tools called fuzz tools, or fuzzers.

These tools perform an automated operation called fuzzing, which relies on feeding a software application with random data and analyzing the output for abnormalities.

Google's security experts are big fans of fuzzing when searching for undocumented vulnerabilities. In the past years, Google has developed two of the most popular fuzzing tools around, namely OSS-Fuzz and syzkaller.

Syzkaller is how Google engineers discovered three major bugs in the Linux kernel [1, 2, 3]. Two of these bugs had survived in the kernel code for 9 and 11 years, respectively, showing a fuzzing tool's ability to uncover bugs that humans couldn't spot during manual code reviews.

Ormandy used tool to find "crazy bad" Windows flaw

Earlier this month, Ormandy also used fuzzing to find a vulnerability in the Microsoft Malware Protection Engine, which he later described as "crazy bad" and "the worst Windows remote code exec in recent memory." The loadlibrary project is one of the tools Ormandy used for discovering that flaw.

Distributed, scalable fuzzing on Windows can be challenging and inefficient. This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data.

This is less of a problem on Linux, and I've found that porting components of Windows Antivirus products to Linux is often possible. This allows me to run the code I’m testing in minimal containers with very little overhead, and easily scale up testing.

The default loadlibrary package Ormandy released today on GitHub includes a demo in which the researcher ported Windows Defender on Linux.

Loadlibrary is not a Wine replacement

Despite his demo, the researcher says loud and clear that his tool is not intended as a way to run Windows apps on Linux.

"This project does not replace Wine or Winelib," Ormandy says, "Winelib is used to port Windows C++ projects to Linux, and Wine is intended to run full Windows applications. This project is intended to allow native Linux code to load simple Windows DLLs."

Nonetheless, while Linux desktop users can't use loadlibrary in any way, the tool is attractive to app developers, who can use it to load DLL data into Linux apps without having to port the entire Windows app along the way.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.